hiera-ehttp 0.0.1

data/.gitignore

@@ -0,0 +1,4 @@
+/pkg
+*.pem
+*.yaml
+*.json

data/README.md

@@ -0,0 +1,86 @@
+hiera-ehttp
+==============
+
+Description
+-----------
+
+This is a back end plugin for Hiera that allows lookup to be sourced from HTTP queries.  The intent is to make this backend adaptable to allow you to query any data stored in systems with a RESTful API such as CouchDB or even a custom store with a web front-end
+
+Example Configuration
+---------------------
+
+You can generate default keys with
+
+    hiera-ehttp keys -n "CN=hiera-http/DC=neverland"
+
+Grab the hiera-ehttp gem and then add this to your hiera config file
+
+    :backends:
+      - ehttp
+
+    :ehttp:
+      :host: 127.0.0.1
+      :port: 5984
+      :output: json
+      :failure: graceful
+      :keyfile: /etc/puppet/keys/key.pem
+      :certfile: /etc/puppet/keys/cert.pem
+      :paths:
+        - /hiera/%{fqdn}
+        - /hiera/defaults
+
+
+Using the command line utility you can encrypt a value
+
+    hiera-ehttp encrypt -c cert.pem -s "secret value"
+
+Configuration Parameters
+------------------------
+
+The following are optional configuration parameters
+
+`:output:` Specify what handler to use for the output of the request.  Currently supported outputs are plain, which will just return the whole document, or YAML and JSON which parse the data and try to look up the key
+
+`:http_connect_timeout:` Timeout in seconds for the HTTP connect (default 10)
+
+`:http_read_timeout:` Timeout in seconds for waiting for a HTTP response (default 10)
+
+`:failure:` When set to `graceful` will stop hiera-http from throwing an exception in the event of a connection error, timeout or invalid HTTP response and move on.  Without this option set hiera-http will throw an exception in such circumstances
+
+The `:paths:` parameter can also parse the lookup key, eg:
+
+    :paths:
+      /configuraiton.php?lookup=%{key}
+
+`:use_ssl:` When set to true, enable SSL (default: false)
+
+`:ssl_ca_cert` Specify a CA cert for use with SSL
+
+`:ssl_cert` Specify location of SSL certificate
+
+`:ssl_key` Specify location of SSL key
+
+`:keyfile:` The private key used when storing encrypted data
+
+`:certfile:` The certificate used when storing encrypted data
+
+If and only if both `:keyfile:` and `:certfile:` are specified then encryption will be enabled
+
+Notes
+-----
+
+If you want/need features added and don't hesitate to send a pull request or ask me to add them
+for you.
+
+This backend loosely follows the scheme that hiera-eyaml use so there may be some compatibility
+between these two projects, but I make no promises.
+
+The encryption support is not very fetured yet, and some things that came from the original
+hiera-http backend have not been tested in this backend yet. The moral is if you find a bug,
+make an issue so I know, or create a fix and create a pull request.
+
+Credits
+-------
+
+* Much of this code comes from the original hiera-http created by Craig Dunn <craig@craigdunn.org>
+* SSL components contributed from Ben Ford <ben.ford@puppetlabs.com>

data/Rakefile

@@ -0,0 +1,24 @@
+require 'rubygems'
+require 'rubygems/package_task'
+
+spec = Gem::Specification.new do |gem|
+    gem.name         = "hiera-ehttp"
+    gem.version      = "0.0.1"
+    
+    gem.author       = "Josh Hoover"
+    gem.email        = "floomby@nmt.edu"
+    gem.homepage     = "http://github.com/floomby/hiera-ehttp"
+    gem.summary      = "HTTP backend for Hiera supporting encrypted entries"
+    gem.description  = "Hiera backend for looking up data over HTTP APIs with support for encrypted values"
+    
+    gem.require_path = "lib"
+    gem.files        = `git ls-files`.split($\)
+    
+    gem.executables  = ["hiera-ehttp"]
+    
+    gem.add_dependency('json')
+end
+
+Gem::PackageTask.new(spec) do |pkg|
+    pkg.gem_spec = spec
+end

data/bin/hiera-ehttp

@@ -0,0 +1,137 @@
+#!/usr/bin/env ruby
+
+require 'base64'
+require 'openssl'
+require 'optparse'
+require 'ostruct'
+require 'pp'
+require 'time'
+require 'date'
+
+class HieraEhttpKeys
+    @banner = "Usage: hiera-ehttp keys [options]"
+    def self.parse(args)
+        options = OpenStruct.new
+        
+        # set the default cert name
+        options.name = "CN=hiera-http/DC=neverland"
+        
+        opt_parser = OptionParser.new do |opts|
+            opts.banner = @banner
+            
+            opts.on("-n", "--name <cert name>", "The name to use on the certificate") do |name| options.name = name end
+            
+        end
+        
+        opt_parser.parse!(args)
+        options
+    end
+    
+    def self.create(options)
+        
+        # create a key
+        key = OpenSSL::PKey::RSA.new 2048
+        
+        # write the private key out in pem format
+        open 'key.pem', 'w' do |io| io.write key.to_pem end
+        
+        # create a certificate to encrypt with
+        name = OpenSSL::X509::Name.parse options.name
+        
+        cert = OpenSSL::X509::Certificate.new
+        
+        cert.version    = 2
+        cert.serial     = 0
+        # make the certificate good for a year
+        cert.not_after  = Time.now
+        cert.not_before = Time.now + (60*60*24*365)
+        
+        cert.public_key = key.public_key
+        cert.subject    = name
+        cert.issuer     = name
+        
+        # write the cert in pem format
+        open 'cert.pem', 'w' do |io| io.write cert.to_pem end
+        
+    end
+    
+    def self.usage()
+        puts @banner
+    end
+end
+
+class HieraEhttpEncrypt
+    @banner  = "Usage: hiera-ehttp encrypt [options]"
+    
+    def self.parse(args)
+        options = OpenStruct.new
+    
+        options.strings = []
+        
+        opt_parser = OptionParser.new do |opts|
+            opts.banner = @banner
+            
+            opts.on("-c", "--certfile <certficate>", "Certificate to encrypt with") do |cert| options.certificate = cert end
+            opts.on("-s", "--string <value>", "String to encrypt") do |str| options.strings << str end
+            #opts.on("-j", "--json <file>", "Encrypt all of the values in a json file") do |file| options.jsons << file end
+            #opts.on("-y", "--yaml <file>", "Encrypt all of the values in a yaml file") do |file| options.yamls << file end
+            
+        end
+        
+        opt_parser.parse!(args)
+        options
+    end
+    
+    def self.encrypt(options)
+        # read in the certificate and create the cipher object
+        cert = OpenSSL::X509::Certificate.new (File.read options.certificate)
+        cipher = OpenSSL::Cipher.new 'AES-128-CBC'
+        
+        # encrypt strings, jsons, and yamls
+        strings options.strings, cert, cipher
+        #jsons   options.jsons,   cert, cipher
+        #yamls   options.yamls,   cert, cipher
+    end
+    
+    def self.strings(strings, cert, cipher)
+        encs = []
+        strings.each do |str|
+            puts ("\"#{str}\":\"ENC[PKCS7," + (Base64.encode64 (OpenSSL::PKCS7::encrypt [cert], str, cipher, OpenSSL::PKCS7::BINARY).to_der).delete("\n\r") + "]\"\n")
+        end
+    end
+    
+    def self.jsons(jsons, cert, cipher)
+        puts "Encryption on json files unimplimented... Skiping"
+    end
+    
+    def self.yamls(yamls, cert, cipher)
+        puts "Encryption on yaml files unimplimented... Skiping"
+    end
+    
+    def self.usage()
+        puts @banner
+    end
+end
+
+usage = "Usage: hiera-ehttp <action>"
+
+action, *args = ARGV
+
+if !action or action == 'help'
+   puts usage
+   exit
+end
+
+case action
+when 'keys'
+    options = HieraEhttpKeys.parse args
+    HieraEhttpKeys.create options
+
+when 'encrypt'
+    options = HieraEhttpEncrypt.parse args
+    HieraEhttpEncrypt.encrypt options
+
+
+else
+    puts 'invalid action (valid actions: keys, encrypt)'
+end

data/lib/hiera/backend/ehttp_backend.rb

@@ -0,0 +1,160 @@
+require 'net/http'
+require 'net/https'
+require 'openssl'
+
+class Hiera
+  module Backend
+    class Ehttp_backend
+
+      def initialize
+        
+        Hiera.debug "test"
+        
+        @config = Config[:ehttp]
+
+        @http = Net::HTTP.new @config[:host], @config[:port]
+        @http.read_timeout = @config[:http_read_timeout] || 10
+        @http.open_timeout = @config[:http_connect_timeout] || 10
+
+        if @config[:use_ssl]
+          @http.use_ssl = true
+          if @config[:ssl_cert]
+            @http.verify_mode = OpenSSL::SSL::VERIFY_PEER
+            store = OpenSSL::X509::Store.new
+            store.add_cert OpenSSL::X509::Certificate.new File.read @config[:ssl_ca_cert]
+            @http.cert_store = store
+
+            @http.key = OpenSSL::PKey::RSA.new File.read @config[:ssl_cert]
+            @http.cert = OpenSSL::X509::Certificate.new File.read @config[:ssl_key]
+          end
+        else
+          @http.use_ssl = false
+        end
+
+        @keyfile  = @config[:keyfile]
+        @certfile = @config[:certfile]
+
+        # we will read in the key and the cert
+        if @keyfile && @certfile
+          @key  = OpenSSL::PKey::RSA.new File.read @keyfile
+          @cert = OpenSSL::X509::Certificate.new File.read @certfile
+        end
+      end
+
+      def lookup(key, scope, order_override, resolution_type)
+
+        Hiera.debug "test"
+
+        answer = nil
+
+        paths = @config[:paths].map { |p| Backend.parse_string p, scope, { 'key' => key } }
+        if order_override
+          paths.insert 0, order_override
+        end
+
+
+        paths.each do |path|
+
+          Hiera.debug "[hiera-ehttp]: Lookup #{key} from #{@config[:host]}:#{@config[:port]}#{path}"
+          httpreq = Net::HTTP::Get.new path
+
+          begin
+            httpres = @http.request httpreq
+          rescue Exception => e
+            Hiera.warn "[hiera-ehttp]: Net::HTTP threw exception #{e.message}"
+            raise Exception, e.message unless @config[:failure] == 'graceful'
+            next
+          end
+
+          unless httpres.kind_of? Net::HTTPSuccess
+            Hiera.debug "[hiera-ehttp]: bad http response from #{@config[:host]}:#{@config[:port]}#{path}"
+            Hiera.debug "HTTP response code was #{httpres.code}"
+            raise Exception, 'Bad HTTP response' unless @config[:failure] == 'graceful'
+            next
+          end
+
+          result = self.parse_response key, httpres.body
+          next unless result
+
+          parsed_result = Backend.parse_answer result, scope
+
+          case resolution_type
+          when :array
+            answer ||= []
+            answer << parsed_result
+          when :hash
+            answer ||= {}
+            answer = parsed_result.merge answer
+          else
+            answer = parsed_result
+            break
+          end
+        end
+        answer
+      end
+
+
+      def parse_response(key,answer)
+
+        return nil unless answer
+
+        Hiera.debug "[hiera-ehttp]: Query returned data, parsing response as #{@config[:output] || 'plain'}"
+
+        case @config[:output]
+
+        when 'json'
+          # If JSON is specified as the output format, assume the output of the
+          # endpoint URL is a JSON document and return keypart that matched our
+          # lookup key
+          self.json_handler key, answer
+        when 'yaml'
+          # If YAML is specified as the output format, assume the output of the
+          # endpoint URL is a YAML document and return keypart that matched our
+          # lookup key
+          self.yaml_handler key, answer
+        else
+          # When the output format is configured as plain we assume that if the
+          # endpoint URL returns an HTTP success then the contents of the response
+          # body is the value itself, or nil.
+          #
+          decrypt answer
+        end
+      end
+
+      # Handlers
+      # Here we define specific handlers to parse the output of the http request
+      # and return a value.  Currently we support YAML and JSON
+      #
+      def json_handler(key, answer)
+        require 'json'
+        self.decrypt (JSON.parse answer)[key]
+      end
+
+      def yaml_handler(key, answer)
+        require 'yaml'
+        self.decrypt (YAML.load answer)[key]
+      end
+
+      def decrypt(answer)
+        if @keyfile && @certfile
+          require 'base64'
+          if a = /ENC\[([^,]+),([^\]]+)\]/.match(answer)
+            # right now we only support PKCS7
+            if a[1] != 'PKCS7'
+              Hiera.debug "[hiera-ehttp] #{a[1]} is an unsupported algorithm (supported: PKCS7)"
+              raise Exception, 'Unsupported Algorithm' unless @config[:failure] == 'graceful'
+            end
+            
+            # we are good to decrypt
+            (OpenSSL::PKCS7.new Base64.decode64 a[2]).decrypt @key, @cert
+          else
+            answer
+          end
+        else
+          answer
+        end
+      end
+
+    end
+  end
+end

metadata

@@ -0,0 +1,67 @@
+--- !ruby/object:Gem::Specification
+name: hiera-ehttp
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+  prerelease: 
+platform: ruby
+authors:
+- Josh Hoover
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2014-04-18 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: json
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Hiera backend for looking up data over HTTP APIs with support for encrypted
+  values
+email: floomby@nmt.edu
+executables:
+- hiera-ehttp
+extensions: []
+extra_rdoc_files: []
+files:
+- .gitignore
+- README.md
+- Rakefile
+- bin/hiera-ehttp
+- lib/hiera/backend/ehttp_backend.rb
+homepage: http://github.com/floomby/hiera-ehttp
+licenses: []
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 1.8.23
+signing_key: 
+specification_version: 3
+summary: HTTP backend for Hiera supporting encrypted entries
+test_files: []